[Snort-sigs] Basic question [] syntax question about excluding a subnet of a larger subnet...

Lorine Ruotolo lori.ruotolo at ...12...
Thu Mar 16 13:50:09 EST 2006

What if he wrote a pass signature for the range he didn't want to check 
before the alert signature?

Wouldn't that work?

>From: Matt Kettler <mkettler at ...189...>
>To: Gentoo-Wally <gentoowally at ...2420...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Basic question [] syntax question about excluding 
>a subnet of a larger subnet...
>Date: Thu, 16 Mar 2006 15:50:27 -0500
>Gentoo-Wally wrote:
> >
> > Question...
> >
> > What is the correct way to exclude a subnet from a larger network in a
> > signature?
>You have to define it as multiple subnet additions. You can't subtract out 
>range that's already been added, because the behavior of a , is an "or"
>operation, not an AND.
> >
> > var NET1 <>
> > var NET2 <>
> > var NET3 <>
> >
> > alert tcp [$NET1,!$NET2] ANY -> $NET3 ANY ...blah, blah, blah...
> >
> > Is that the right way to watch for something from NET1 but not in NET2
>No. That won't work, you can't do subtraction.
>[$NET1,!$NET2]  will match anything in NET1 *OR* anything not in NET2.
>Since net2 is a subset of net1 this makes it a logical equivalent to "any". 
>first clause will match all of net1, *including* the IPs in net2. The 
>clause will match all of the rest of IP space. As long as either clause is
>satisfied, it's a match.
>And it has to work this way, unless the syntax changes to allow 
>more complex expressions. If the existing , became an "AND" operation 
>like [,] would not work correctly. That would 
>become a match of nothing, instead of a match of either of two IPs.
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live 
>and join the prime developer group breaking into this new coding territory!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

Express yourself instantly with MSN Messenger! Download today - it's FREE! 

More information about the Snort-sigs mailing list